VIGILANTe advisory 2001003 : Atmel SNMP Non Public Community Stri ng DoS Vulnerability

[Frederic Brouille <frederic.brouille () vigilante com>]

Atmel SNMP Non Public Community String DoS Vulnerability
Advisory Code: VIGILANTE-2001003
Release Date: December 21, 2001

Systems affected:
Atmel Firmware 1.3
Tested on a WAP11 Syslink Wireless Access Point WPC11 Wireless network PC
card (PCMCIA+PCI) Under Windows 2000

Systems not affected:
Vendor released a more recent version of this software, but it is not known
if it is vulnerable to this attack. We did not perform tests on this newer
version.

The problem:
During some tests we noticed that the 1.3 version firmware contains a flaw
that may result in a denial-of-service, preventing any new further request
to be correctly handled by the device. 


If a SNMP read request is made with a community name different than "public"
( including NULL community string ) or an unknown OID, it leads to a denial
of service even if the answer is correct ( ie the returned code error in the
reply is ok ). Any SNMP request made to the Wireless Access Point is then
denied. Reset of the appliance is necessary to recover normal functioning. 
Vendor status:
Linsys was contacted October 30, 2001 and answered. They say that the 1.3
firmware for the WAP11 is a somewhat dated release. The current shipping
version is 1.4g.5.

Vulnerability Assessment:
A test case to detect this vulnerability was added to SecureScan NX in the
upgrade package of December 21, 2001. You can see the documentation of this
test case 15471 on SecureScan NX web site at
http://securescannx.vigilante.com/tc/15471 

Fix:
Vendor suggested the following : "for customers that have earlier versions,
new code is available on our ftp site:
ftp://ftp.linksys.com/pub/network/wap11fw14g5.exe.

The new utility is also required to use this firmware, also available on our
ftp site : ftp://ftp.linksys.com/pub/network/wap11sw.exe.

These links are also published on our website at :
http://www.linksys.com/download/firmware.asp under the wap11 section from
the drop down." 

CVE:
Common Vulnerabilities and Exposures group ( reachable at
http://cve.mitre.org/ ) was contacted to get a candidat number. It will be
included here when available.

Credit:
This vulnerability was discovered by Frederic Brouille, member of VIGILANTe.
We wish to thank Atmel for their help in investigating this problem. 

Copyright VIGILANTe.com, Inc. 2001-12-21

Disclaimer:
The information within this document may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any consequences whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information lays
within the user's responsibility.

Feedback:
Please send suggestions, updates, and comments to isis () vigilante com.